The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!
Solved
Why does loopback mode trump GPPE drive maps but not GPO user logon script?
Posted on 2013-06-17
I recently migrated my users to a new GPO structure, taking advantage of numerous Group Policy Preferences. I’ve stumbled on to an issue where users’ drive mappings are not being made when they log into a conference room computer.
These conference room computers have loopback enabled (“Replace”) so I can lock several, albeit minor, settings down. The drive mappings are done via User GPPE > Windows Settings > Drive Maps. In the old days, I did it with a GPO user logon script (which worked). The GPPE drive maps do not work.
If I change the loopback mode to “merge”, it will work, but then I lose my ability to lock stuff down.
Anyone have an explanation or advice how to get around this?
These conference room computers have loopback enabled (“Replace”) so I can lock several, albeit minor, settings down. The drive mappings are done via User GPPE > Windows Settings > Drive Maps. In the old days, I did it with a GPO user logon script (which worked). The GPPE drive maps do not work.
If I change the loopback mode to “merge”, it will work, but then I lose my ability to lock stuff down.
Anyone have an explanation or advice how to get around this?
1 Comment
Active 2 days ago
To start with: you don't lose the ability to "lock stuff down" with Loopback processing in Merge mode.
All that Loopback mode does is tell the OS to apply user configuration GPOs based on the OU where the computer account is.
In "Merge" mode, the user configuration GPOs will be applied based on the user object's location in AD first, then the user configuration GPOs based on the computer object's location in AD (so that with concurrent policies, the one applied via Loopback will always win).
In "Replace" mode, any user configuration GPO based on the user object's location in AD will be skipped altogether, and only the ones linked to the computer object's location will be applied.
So you can either use "Merge" mode, making use of the Loopback's higher priority to lock down whatever was allowed in the default GPOs, or you can use "Replace" mode to log the users on with a clean slate, put all the drive mapping GPPs into their own dedicated GPO, and link the drive mapping GPO not only to the user OU, but to the conference room OU as well (or duplicate the GPPs, but if you need the same drive mappings, then that's not really the best solution).
Loopback processing of Group Policy
http://support.microsoft.com/kb/231287
All that Loopback mode does is tell the OS to apply user configuration GPOs based on the OU where the computer account is.
In "Merge" mode, the user configuration GPOs will be applied based on the user object's location in AD first, then the user configuration GPOs based on the computer object's location in AD (so that with concurrent policies, the one applied via Loopback will always win).
In "Replace" mode, any user configuration GPO based on the user object's location in AD will be skipped altogether, and only the ones linked to the computer object's location will be applied.
So you can either use "Merge" mode, making use of the Loopback's higher priority to lock down whatever was allowed in the default GPOs, or you can use "Replace" mode to log the users on with a clean slate, put all the drive mapping GPPs into their own dedicated GPO, and link the drive mapping GPO not only to the user OU, but to the conference room OU as well (or duplicate the GPPs, but if you need the same drive mappings, then that's not really the best solution).
Loopback processing of Group Policy
http://support.microsoft.com/kb/231287
Featured Post
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Join & Write a Comment Already a member? Login.
By default the complete memory dump option is disabled in windows . If we want to enable the complete memory dump for a diagnostic purpose, we have a solution for it. here we are using the registry method to enable this.
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
- Windows 10
- Microsoft Legacy OS
- Windows 8
- Windows OS
- Windows 7
- Windows Vista, Windows XP, Windows 2000, *Internet Explorer (IE)
Suggested Courses
Course of the Month8 days, 13 hours left to enroll
595 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.